1. Technical Field
The present invention relates generally to securing communications between computer systems, and, in particular, to security methods and apparatus for maintaining the security of a local client computer system from a remote server computer system.
2. Background Art
In general, in the descriptions that follow, we will italicize the first occurrence of each special term of art which should be familiar to those skilled in the art of communication system security. In addition, when we first introduce a term that we believe to be new or that we will use in a context that we believe to be new, we will bold the term and provide the definition that we intend to apply to that term. In addition, throughout this description, we may use the terms assert and negate when referring to the rendering of a signal, signal flag, status bit, or similar apparatus into its logically true or logically false state, respectively.
With the proliferation of public communication networks, more and more computers are accessible from remote locations. The worldwide public network, the Internet and its alter ego the World Wide Web, comprises many millions of computers coupled together through either low-speed Internet Service Providers (“ISPs”), or high-speed Broad-band Service Providers (“BSPs”) (collectively, “SPs”). The ready availability of direct access to so many personal or business computer systems has resulted in a proliferation of criminal hackers or crackers attracted by the challenge of electronically hacking into such computing systems and either stealing commercially valuable information or just causing havoc. For convenience of reference, we shall refer to all such untrustworthy communication networks as RedNets. In contrast, we shall refer to all trustworthy local networks as BlackNets, even though, in many instants, the BlackNet may consist of a single node owned and operated by a sole individual or business client.
To date, the most effective prior art communication security mechanism, known as a firewall, interposes a trusted, autonomous device or portal between a BlackNet and a RedNet. During initial power-up, the portal generally maintains strict communication silence, and only opens the communication ports when full security has been assured. Once initialized, the portal generally forwards to the RedNet all communication transactions originated by the BlackNet. In contrast, all transactions originating in the RedNet that are addressed to the BlackNet are first examined to determine if selected characteristics of the transaction match any of a plurality of protection rules stored in a local protection rule base. If a particular transaction is found to match one of the protection rules, it is blocked and not forwarded to the BlackNet; otherwise, the transaction is forwarded to the BlackNet. An example of such a prior art communication security system is shown and described in U.S. Pat. No. 5,606,668. Although communications on many RedNets, including the Internet, are packetized, we prefer to treat each individual packet as a separate transaction, and, throughout the following description, when we use the term “transaction” we intend to include individual packets in appropriate instants.
A first type of prior art protection rule, usually called a packet filter, requires the comparison of the Internet Protocol Source Address (“IPSA”) of each incoming transaction to the IPSA of a known cracker. Since it is a trivial matter for a cracker to temporarily usurp an assigned but currently inactive IPSA and so masquerade as an innocent user, this type of protection rule tends to be rather transient. Typically, it is the responsibility of the local client or, if available, the client's system administrator (“sys-admin”), to periodically update the local protection rule data base, manually, using information shared by other sys-admins on known websites. Firewalls that perform only packet filtering are sometimes referred to as network-level firewalls. In general, network-level firewalls tend to be simple and fast because they are not required to perform complex analysis of packet contents or traffic history.
A second type of prior art protection rule, called a stateful inspection, requires the examination of any of a number of distinct characteristics of the transaction, such as type, to determine if the transaction is requesting an inappropriate response from the BlackNet. Since such requests may indeed be valid in a particular situation, depending upon the specific nature of the BlackNet and its recent activity on the RedNet, such protection rules tend to be rather general in scope. As a result, in some cases, the portal must request the assistance of the local sys-admin in determining the most appropriate response. Clearly, this results in additional workload for the sys-admin, and may result in unacceptable delays in validating essential BlackNet transactions. One additional negative aspect of stateful inspection rules is that they tend to be devised as point solutions to known attack strategies. Often, by the time an appropriate protection rule set has been devised and distributed among the cooperating sys-admins, the cracker community has already devised and distributed (via notorious cracker websites) more sophisticated methodologies. Again, given that most sys-admins are already overworked, there may be significant delays in installing the newest rule sets, leaving the BlackNet vulnerable for unacceptably long periods of time. Firewalls that perform stateful inspection are sometimes referred to as stateful inspection firewalls. In general, stateful inspection firewalls tend to be more complex and slower because they are required to perform complex analysis of packet contents or traffic history.
In third type of firewall, called a proxy-level firewall, packets originated on the BlackNet are re-addressed to appear on the RedNet as if originated by the firewall portal itself. As a result of acting as a proxy for the client, the true address of that client is hidden from the RedNet. Proxy-level firewalls often perform additional useful services, such as BlackNet auditing, traffic monitoring, and time-of-day control.
In view of the interactive nature of current generation firewall portals, the implementing hardware tends to be in the form of a dedicated computer system, with associated input and output devices for the sys-admin to use in updating the protection rule data base and other support activities such as traffic analysis. While the significant cost of such systems, both initially and over time, can perhaps be amortized over a number of local nodes, that cost is certainly a significant barrier to widespread use in the home or small business environments. In fact, the requirement for a skilled sys-admin may itself make the cost of such a solution prohibitive to even moderate sized businesses.
One example of a very sophisticated, commercially available firewall system that implements most of the capabilities that we believe to be essential is the WatchGuard LiveSecurity™, available from WatchGuard Technologies, Inc., of Seattle, Oreg. However, as will be apparent from reviewing the white paper, “WatchGuard LiveSecurity™—A New Approach to Network Security and Managed Security Services”, submitted herewith and incorporated herein by reference, this system is still dependent upon the timely recognition at a centralized location of new threats. Thus, until sufficient information regarding a new form of attack is finally collected, manually, at a centralized location, no response can be crafted and distributed, leaving all clients vulnerable for what may be a dangerously long time. Given the speed with which new threats can spread, such reactive systems are, we submit, simply inadequate.
In general, current commercially available firewall technology is too difficult to maintain since each portal tends to stand alone and can defend against only those attack sources or strategies of which it has been made aware. In particular, for individuals and small business owners, it is desirable to have an efficient, low maintenance security device that will automatically protect their computer systems from unauthorized accesses, and proactively report suspicious activities to a centralized threat assessment and response center. Even more important, there is an urgent need for a more convenient and, especially, timely mechanism for updating the firewall portal as to the sources and strategies of new threats.